Вопрос про секурити апача через nginx

Igor Sysoev is at rambler-co.ru
Thu Nov 24 22:43:18 MSK 2005


On Tue, 15 Nov 2005, Pavel Sokolov wrote:

> А через nginx это к апачу придёт?
>
> http://www.apache.org/dist/httpd/CHANGES_1.3
>
> SECURITY: core: If a request contains both Transfer-Encoding and
> Content-Length headers, remove the Content-Length, mitigating some
> HTTP Request Splitting/Spoofing attacks.  This has no impact on
> mod_proxy_http, yet affects any module which supports chunked
> encoding yet fails to prefer T-E: chunked over the Content-Length
> purported value.  [Paul Querna, Joe Orton]

Да, пройдёт. nginx сейчас игнорирует Transfer-Encoding.
Надо будет поправить в 0.3.12.


Игорь Сысоев
http://sysoev.ru





More information about the nginx-ru mailing list